Subject: execvee security
To: None <tech-kern@NetBSD.ORG>
From: Niklas Hallqvist <niklas@appli.se>
List: tech-kern
Date: 11/15/1995 11:16:43
I've tried to look at the execvee security issues closer, with help
from CGD. The point is that running set-id emulated executables might
be a security risk if any random user can change the personality of
the emulation. In my execvee vocabulary, that means, an execvee call
with a non-NULL optv argument. As anybody can create a non-setid
wrapper around a set-id binary and supply an optv to execvee this is a
valid concern. What to do in these cases then? Well, there are three
choices:
1 EACCES
2 Run the binary, but without altering ids in any way (like
MNT_NOSUID)
3 Run the binary but don't supply the optv vector.
What is best? I think I prefer 1, because that makes you aware of the
problem. Both 2 & 3 might seem to work, when in fact they may do some
little semantic error due to the constraints. I don't like it that
way, it's like a compiler generating wrong code, which I think is
worse than generating invalid code, coredumps, invalid error reports
or anything else. Comments?
OTOH if optv is NULL, execvee is much like execve and should work as
such.
As execvee's purpose is to wrap binaries, it should be rather
transparent. This means if execve runs a wrapper which execvees a
binary, it should look like we did an execve directly on the binary,
apart from emul-assoc specification and option passing. One area that
this would not be true if we were not careful would be in the area of
saved-ids. In order to make this transparent execvee should not set
the saved-ids at all, the execve that started the wrapper already took
care of that. I wonder, are there other areas like this?
As usual, comments are gladly accepted. Even flames, if they just
have a minor bit of tech-info in them :-)
Niklas
Niklas Hallqvist Phone: +46-(0)31-40 75 00 Home: +46-(0)31-41 93 95
Applitron Datasystem Fax: +46-(0)31-83 39 50 Home: +46-(0)31-41 93 96
Molndalsvagen 95 Email: niklas@appli.se GSM: +46-(0)70-714 10 35
S-412 63 GOTEBORG WWW: Here
Sweden IRC: niklas (#NetBSD) ICB: niklas (netbsd)